[Freeipa-users] Trouble with new installation

Dumbo Q dumboq at yahoo.com
Thu Jun 4 21:02:14 UTC 2009 

Alright, now im starting to get somewhere!
kadmin was not running, and I was getting
Jun 04 16:05:00 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: NEEDED_PREAUTH: test at MYDOM.COM for kadmin/changepw at MYDOM.COM, Additional pre-authentication required
Jun 04 16:05:00 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: ISSUE: authtime 1244145900, etypes {rep=18 tkt=18 ses=18}, test at MYDOM.COM for kadmin/changepw at MYDOM.COM
Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: NEEDED_PREAUTH: kadmin/changepw at MYDOM.COM for krbtgt/MYDOM.COM at MYDOM.COM, Additional pre-authentication required
Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.30.1.53: ISSUE: authtime 1244145908, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at MYDOM.COM for krbtgt/MYDOM.COM at MYDOM.COM
Jun 04 16:05:08 auth01.mydom.com krb5kdc[4001](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.30.1.53: ISSUE: authtime 1244145908, etypes {rep=18 tkt=18 ses=18}, kadmin/changepw at MYDOM.COM for ldap/auth01.mydom.com at MYDOM.COM

/sbin/service kadmin start
/sbin/chkconfig kadmin on 
now it hangs for a minute when changing the password, and I see the following in /var/log/messages.
Jun  4 16:47:02 auth01 kpasswd[19933]: Unable to read request: Key version number for principal in key table is incorrect
Jun  4 16:47:10 auth01 kpasswd[19935]: Unable to read request: Key version number for principal in key table is incorrect
Jun  4 16:47:19 auth01 kpasswd[19951]: Unable to read request: Key version number for principal in key table is incorrect

Note:  the above messages messages where from using the passwd command.  (In my previous posts i usually try passwd, kpasswd, and ipa-passwd).

I tried again with ipa-passwd and it worked right away!  Did an ldapsearch and can see that my expiration is now 200909...

Thanks everyone for your help with this.

Two more questions while on this topic.
1. Is it to be expected that passwords should be changed using ipa-password and not regular passwd?
2. Is there any documentation that shows the technical layout of how things are supposed to work, including the services and how they all integrate together?   I found a diagram online but it was very top level and didn't explain much more then I could have guessed without any ldap or kerberos experience.  I would create this myself, but I am clearly not the one for the task :)






________________________________
From: Simo Sorce <ssorce at redhat.com>
To: Dumbo Q <dumboq at yahoo.com>
Cc: Christian Horn <chorn at fluxcoil.net>; freeipa-users at redhat.com
Sent: Thursday, June 4, 2009 4:15:00 PM
Subject: Re: [Freeipa-users] Trouble with new installation

On Thu, 2009-06-04 at 13:05 -0700, Dumbo Q wrote:
> That had me thinking that maybe the user was not allowed to access the
> specific machine. I've gone through the docs a few times, and cannot
> find where my problem may be.
> 
> As a a test i created the following file
> dn: uid=test,cn=users,cn=accounts,dc=mydom,dc=com
> changetype: modify
> replace: krbPasswordExpiration
> krbPasswordExpiration: 20090605194542Z
> 
> [root at auth01 ~]# ldapmodify -h localhost -xv -D cn="Directory Manager"
> -W -f /root/testexpire.ldif
> ldap_initialize( ldap://localhost )
> Enter LDAP Password:
> replace krbPasswordExpiration:
>         20090605194542Z
> modifying entry "uid=test,cn=users,cn=accounts,dc=mydom,dc=com"
> modify complete
> 
> 
> The test user was now able to login to the server as i had hoped.
> I ran the 'passwd' command,  entered my kerb pass, then picked a new
> pass.
> /var/log/messages again said:
> Jun  4 15:58:40 auth01 kpasswd[18390]: Unable to bind to ldap server
> Jun  4 15:58:40 auth01 kpasswd[18390]: Server Error while performing
> LDAP password change
> 
> what could be going wrong here?? 
> i also tried running kinit, and then changing the passwd with the same
> results.

Have you tried to start kadmin by chance ?
I think I remember on some older versions the kadmin init script will
heppily generate a new kadmin/changepw secret making the one we stored
in the ipa-kpasswd specific keytab useless.

Can you check if you see errors in krb5kdc.log regarding obtaining a TGT
for kadmin/changepw ?

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090604/be17ae04/attachment.htm>

More information about the Freeipa-users mailing list